On Tuesday, May 4, 2010, Representatives Rick Boucher, Democrat of Virginia, and Cliff Stearns, Republican of Florida released a draft of a Congressional bill would extend privacy protections both on the web and off line. Mr. Boucher is the chairman of the House subcommittee on communications, technology and the Internet, and Mr. Stearns is the panel’s ranking minority member. After collecting comments on the draft, they lawmakers hope to have have formal legislation introduced within a month or so, Mr. Boucher reported in an interview.

There is currently no national legislation governing how companies tell consumers that they are collecting data, but companies do post privacy notices because certain state laws require it. This bill would be the first law to apply to businesses requiring privacy notices.

The bill provides a privacy baseline, providing limited protection for “covered information” and much tougher protection for “sensitive information.” The bill makes a key distinction between the two kinds of data: covered information collection is “opt-out,” while sensitive information collection would become “opt-in” only.

According to the bill, covered information includes:

* The first name or initial and last name
* A postal address
* A telephone or fax number
* An e-mail address
* Unique biometric data, including a fingerprint or retina scan
* A Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number
* A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account
* Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer

Companies and websites that disclose their data collection practices can harvest this data on the assumption that, by using the site, one has agreed to such collection. But they are required to provide an opt-out option that would stop all such data collection and prevent the company from using even previously acquired data.

Sensitive information can’t be collected and stored without an explicit opt-in assent by the consumer. The bill defines sensitive information as:

* Medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
* Race or ethnicity
* Religious beliefs
* Sexual orientation
* Financial records and other financial information associated with a financial account, including balances and other financial information
* Precise geolocation information

The proposed bill would expand what information should be considered confidential. It would also require companies to post clear and understandable privacy notices when they collected information. Such information could range from health or financial data to any unique identifier, including a customer identification number, a user’s race or sexual orientation, the user’s precise location or any preference profile the user has filled out. It could also include an Internet Protocol address, the numerical address assigned to each computer connecting to the Internet that many companies use now to aim particular messages at users, which the companies argue is not personally identifiable.

The proposed bill is already seems to be making everyone unhappy. The New York Times reports that privacy advocates have said that the bill did not go far enough in protecting consumers. While other groups such as the Progress & Freedom Foundation believe the bill “could unintentionally devastate the ‘free’ Internet as we know it” given the use of data collection for online advertising resulting in “diminished consumer choice in ad-supported content and services, raise prices, quash digital innovation, and hurt online speech platforms enjoyed by Internet users worldwide.”

To see the draft bill, click here.

To see the New York Times coverage of this bill, click here.

(hat tip to Ars Techica for its post on the bill)

The social website Blippy, which allows users to share information about when and where they make purchases is posing a data security risk to users after it was revealed Friday that user credit card numbers are appearing online.

VentureBeat first noticed the glitch and reported that credit card numbers appeared in some 130 Google search results, Mashable and CNET report. To date Blippy has not responded to inquiries regarding this privacy breach. To see the ABA Journal article regarding this security glitch, click here.

For a New York Times article regarding the trend of oversharing of personal information on the web, click here.

For users of Blippy and other applications that share personal information, clearly there is a risk of someone misusing your credit cards or other personal information that you are publicly providing. So before you share, perhaps you should refrain from providing too much information before that information falls into the wrong hands.

Business Week reports that medical ID theft is on the rise. There were more than 275,000 cases of medical information theft in the U.S. last year, twice the number in 2008, according to Javelin Strategy & Research, a Pleasanton, California-based market research firm. The average fraud cost $12,100, Javelin said. Given that about 44 percent of U.S. doctors used some form of electronic records last year, according to the National Center for Health Statistics, such theft is not surprising.

Individuals are using stolen information to file false claims. Criminals also set up fake clinics to bill for phony treatments, according to Pam Dixon, founder of the World Privacy Forum, a non-profit consumer-research group based in San Diego, California, which has worked with more than 3,000 victims. Thieves also may impersonate a patient, like in Morgan’s case, and some medical workers download records to sell, she said.

The economic stimulus bill of 2009 includes $2 billion to create a national system of computerized health records and as much as $27 billion over 10 years in payments to Medicare and Medicaid providers who adopt the technology, according to the Department of Health and Human Services. The purpose of creating the digital files was to improve care and help lower costs, but digitizing these files makes the information more vulnerable to theft or hacking.

Insurers are working on improving technology to spot false claims, but better standards are needed. The government is considering new regulations to enhance privacy and security of health information, said David Blumenthal, national coordinator for Health Information Technology at the Health and Human Services Department. Precautions, such as adding photos to patient records are being adopted by by some medical facilities.

Given the mobility of the current population, it makes sense that a person’s medical records are available whether you are seeking treatment while living in Boston or need emergency care while vacationing in California. Efforts need to be made by the medical community to take all necessary safeguards to protect patient data and to ensure that the software used to store such sensitive patient information is as secure as possible.

To read more, please go to Business Week.

Data Privacy Day is January 28, 2010.  Data Privacy Day 2010 is a division of The Privacy Projects, a nonprofit think tank and research organization dedicated to facilitating the role of consumer privacy and data protection in regulatory controls, technological innovation and consumer protection with key stakeholders; to the development and promotion of privacy standards;  and to the promotion of collaboration, cooperation and shared responsibility in the areas of individual data protection and commercial management of personal information.

According to its website, Data Privacy Day is an annual international celebration to raise awareness and generate discussion about information privacy.  In 2009, both the U.S. Senate and House of Representatives recognized January 28th as National Data Privacy Day.

Over the past few years, privacy professionals, corporations, government officials and representatives, academics, and students in the United States, Canada, and 27 European countries have participated in a wide variety of privacy-focused events and educational initiatives in honor of Data Privacy Day.  They have conducted discussions, examined materials and explored technologies in an effort to bring information privacy into our daily thoughts, conversations and actions.

Data Privacy Day has also provided an opportunity to promote teen education and awareness about privacy challenges when using mobile devices, social networking sites and other online services.

For more information about Data Privacy Day or The Privacy Projects, click here.

The Massachusetts Supreme Judicial Court issued an order on January 7, 2010 regarding the protection of specific personal information collected and maintained by the Massachusetts judicial branch in accordance with M.G.L. c. 93H.

The Order requires protection of specified personal information, as defined by M.G.L. c. 93H, of all individuals, including non-residents.  Each appellate court, the Trial Court and any court affiliate
that owns, stores or maintains such personal information is required to develop and implement an information security program to protect personal information from a data breach.

According to the Order, the program is to ensure that courts and court affiliates collect the minimum quantity of personal information reasonably needed to accomplish the legitimate purpose for which the information is collected; securely store and protect the information against unauthorized access, destruction, use, modification, disclosure or loss; provide access to and disseminate the information only to those who reasonably require the information to perform their duties; and destroy the information as soon as it is no longer needed or required to be maintained.

The SJC’s Order sets out the details of what such information security program shall include.  The Order also provides for departmental reviews of the collection and maintenance of personal information; review of the manner in which personal information is electronically stored; and requires that all contracts entered into by the judicial branch contain provisions regarding data breach notification and require compliance with court information security programs.

Compliance with the Order is required by September 1, 2010.  To see the SJC’s complete Order on the Protection of Personal Information, click here.

Connecticut Attorney General (AG) Richard Blumenthal announced that he is suing Health Net of Connecticut for a data breach resulting in the exposure of patient medical records and financial records of 446,000 Connecticut enrollees, which were allegedly stored on an unecrypted portable computer disk drive that disappeared from the company’s office in Shelton, Conn on or about May 14, 2009.

This case will mark the first action by a state general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorizes state attorneys general to enforce HIPAA.

For more information about this data breach, click here for the complete story on HealthImaging.com.

At a meeting with New York Times staff, the chairman of the F.T.C., Jon Leibowitz, and David Vladeck, chief of the commission’s Bureau of Consumer Protection, discussed online privacy and the news business, among other topics. Both individuals have indicated that they expect the FTC to take a more active role in safeguarding consumer privacy. This may also be in light of the pending federal legislation the Data Accountability and Trust Act.

Among topics covered at the meeting were that few people actually read website privacy policies and questions regarding use of consumer data with respect to its use by data brokers, data aggregators, social networks, cloud computing and mobile marketing. (These subjects will be part of a Jan. 28 F.T.C. roundtable on privacy, held in Berkeley, Calif.)

For more information, read the New York Times blog about their meeting with the F.T.C. here. http://mediadecoder.blogs.nytimes.com/2010/01/11/ftc-has-internet-gone-beyond-privacy-policies/

On December 17, 2009, Heartland Payment Systems announced that it would pay American Express $3.6 million to resolve charges stemming from a 2008 breach of Heartland’s payment system network the AP reported.

Heartland’s data breach was the result of hackers using installed spying software on Heartland’s computer network. These hackers also attacked 7-Eleven and Hannaford Brothers Supermarkets. The Department of Justice allege that these hackers managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford.

Heartland has still not reached resolution of its disputes with other card brands, such as Visa and MasterCard, arising out of this data breach, but clearly, such additional settlements will cost Heartland additional millions.

If you or your company have “personal information” concerning any Massachusetts resident (including information about your own employees), be prepared for a significant undertaking than may well effect the way you do business.  The Commonwealth of Massachusetts has issued regulations pursuant to the state’s data breach notification law, and they are slated to go into effect on January 1, 2008.  And while the notification law is largely consistent with the laws enacted by most other states, the regulations truly set Massachusetts apart.

The new regulations require any entity that maintains “personal information” regarding any Massachusetts resident to develop and implement a comprehensive, written information privacy plan that details how such information will be protected and secured.  The business must also designate an employee to be responsible for the plan. This much might have been expected.

What sets the Massachusetts regulations apart, however, are their scope and specificity.  The regulations list no less than twenty separate requirements for the plan, which mandate steps such as the training of all employees, the encryption of personal data on all laptops and mobile devices, the certification of all third-party service providers to ensure their appropriate treatment of personal information, and the institution of systems to monitor for data breaches and implement appropriate anti-virus software and up-to-date security patches.

The regulations purport to apply to anyone holding personal information about Massachusetts residents, whether or not they themselves operate or do business in Massachusetts.  As an initial matter, this covers virtually every business with a Massachusetts employee, since the combination of names and Social Security numbers qualify as “personal information.”  Companies outside of Massachusetts that process Massachusetts’ residents personal information — which would include virtually every retailer — are also within its scope.  Further, service providers who work with any such companies will effectively be forced to comply with the regulations as well, since covered entities may only share personal information with service providers who themselves are compliant with the new mandates.  Lawsuits regarding the extra-jurisdictional reach of these regulations are sure to come.

At a recent Boston Bar Association event, David Murray — the general counsel of the Massachusetts agency responsible for the new regulations — responded to questions regarding them.  His responses indicated that they are, indeed, as broad as their language suggests.  For example, Murray’s view is that existing long-term agreements with third-party service providers are subject to the regulations, which essentially means that relationships between Massachusetts companies and the vendors they use to handle “personal information” will likely require additional due diligence and potentially a renegotiation of contract terms.  Murray, responding to comments pointing out how dramatic changes will be required by the new requirements, said simply “The regulations will not fit in with what is currently being done.”

Given the rapidly approaching January 1 deadline and the enormity of the task at hand, many believe that the Commonwealth will have little choice but to delay enforcement for six months or more.  Further, the Attorney General’s Office, which will be in charge of enforcing the regulations, may take a “go slow” approach to clamping down.  However, businesses should not dawdle in attacking this issue:  First, implementation of the new information security plan will take time and resources, and even a six month delay in the deadline will not give much breathing room.  Second, independent of the AG’s enforcement strategy, the new regulations may well become a de facto standard against which hacked businesses are measured in civil suits.  Business who find that customers’ credit card and financial account information has been lost or hacked may find themselves fielding more questions about their compliance from class action trial lawyers than from the Attorney General’s Office.

The system is screaming for a unification of the more than forty different regimens being implemented by various states across the country.  Whether these regulations are sufficiently bold as to move Congress to act has yet to be seen, but the election and the financial crisis may well leave data security legislation as a low priority at the federal level.  The prudent businessperson will neither assume that the Commonwealth will delay implementation of these regulations for any substantial period of time, nor rely on the federal cavalry to ride in at the last minute to save the day.

Below is a white paper detailing the regulations in more detail:

New Data Security Regulations Have Sweeping

The Department of Justice issued an indictment involving the hacking of computer systems of nine major U.S. retailers. It purports to be the largest such case ever brought by the Department.

The indictment, brought in Boston, alleges that one Albert Gonzalez and others used a sophisticated attack that involved breaking into the retailers’ wireless networks and subsequently stealing credit card and other information using “sniffer” programs. The retailers involved include Barnes & Noble, BJ’s Wholesale Club, Boston Market, DSW, Forever 21, OfficeMax, Sports Authority, and TJX Companies. Their actions allegedly involve the theft of more than 40 million credit card numbers, some of which were sold on the Internet and some of which were used to create counterfeit cards to “cash out” the accounts.

The Department of Justice has issued a press release, which can be found here. The indictment itself is available below: